Since moving to Version 7.2 we have had repeated issues with new users registering on the site but then not setting a password before the token they are emailed has expired.
We have increased this time out to 240 minutes (4 hours) from the default 60 minutes but it is still a recurring problem. As a token can be reused until it expires I am loathed to increase this time out any more (though interestingly administrator generated emails have a 24 hour time out?)
I see a logical, yet still secure solution to this as allowing a password token that has an expiry of several days (if at all) but that can only be used once. As a result a user who sets a password immediately can not have their password rest without their knowledge (as the token has "expired" once used), but someone who waits a day or 2 before setting their password still has a valid token / link in the email they have received.